aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet
AgeCommit message (Collapse)AuthorFilesLines
2023-02-07ipsec: fix AES CBC IV generation (CVE-2022-46397)stable/2106Benoît Ganne3-29/+65
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C). Chaining IVs like is done by ipsecmb and native backends for the VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable. Encrypt a counter as part of the message, making the (predictable) counter-generated IV unpredictable. Fixes: VPP-2037 Type: fix Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-06-29session: free ctrl event data on connect rpcFlorin Coras1-0/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I56c4682aef59ed0e69073f9001341c425e65bd48 (cherry picked from commit 595724a49072b30356e365ce78a3cc815980d342)
2021-06-22session: avoid reordering unlisten and connect msgFlorin Coras1-6/+33
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55 (cherry picked from commit c53eb72931bc8c75204141f3952ac7682f0ae697)
2021-06-17tls: increase engine bits room in handle to support custom engine typejxm1-1/+1
Type: improvement Signed-off-by: jxm <jiangxiaoming@outlook.com> Change-Id: I80a51e841f9727b68d1de713b6b6d51675ef53c5 (cherry picked from commit 975fde82b11307180b3df7dc9b5b1b496f207a08)
2021-06-14session: fix listener ct transport retrieval on acceptv21.06-rc2Florin Coras1-6/+8
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ied2608e7a28c59c908803ca676abbe93072fadb8 (cherry picked from commit ba02641cc7a27ff02aca65036ffc4bd003497f0b)
2021-06-14tcp: fix proto in port reuse checkFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I338e61654a62ed6308ecd8bb15e1a8b13cd859b9 (cherry picked from commit 41a6fbada173b2733ca3b43bf620d6a9634c50da)
2021-06-11session: half-open free only on main threadFlorin Coras1-4/+3
TCP and (D)TLS clean up half-opens on main without a lock/barrier so cleanup initiated from first worker, e.g., cut-throughs, can corrupt the session pool. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I2e5162831c0e201b22454f17fe55bfac44b85fa9 (cherry picked from commit 6bd54caf46aaa68dddbae6161688d428ce60550b)
2021-06-09fib: make sure dpo is valid even when path pool expandsBenoît Ganne1-8/+22
The path pool can expand during in fib_path_attached_next_hop_get_adj() when calling adj_nbr_add_or_lock(). If dpo points to a path->fp_dpo, its reference becomes stale. Use a temporary copy instead. Type: fix Change-Id: Ie966cb5f3f7b416425964dca12f1f586bfc2010c Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit e9d7b0982d7bd189097260b6581abff472da251a)
2021-06-09fib: make sure adj is valid during walkBenoît Ganne1-0/+3
The adj can be deleted during fib_walk_sync(), make sure it can happen only after clearing the SYNC_WALK_ACTIVE flag. Type: fix Change-Id: I68be00e9602e2783d9dced71c51547c38b7e8a00 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 9f10edbb46dc1937ed99469a581723cb1ac1ff45)
2021-06-09ipsec: fix crypto ops in esp decryptBenoît Ganne1-2/+7
When both chained and non-chained buffers are processed in the same vector, make sure the non-chained buffers are processed as non-chained crypto ops. Type: fix Change-Id: I19fc02c25a0d5e2e8a1342e2b88bbae3fe92862f Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit e631ece4aa32b33651ed458200ab551ffb8fbb47)
2021-06-03session: avoid ct connects loopFlorin Coras1-1/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I99af136ecab9be1f9e00de6d197b8f1c74ab4b20 (cherry picked from commit 821b5002bf5cd18e1ec7750ff1b6fb379b241869)
2021-06-03session: lcl transport info on acceptFlorin Coras2-0/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia46b0b8afed30f84b244c06f0457303f9e8832cd (cherry picked from commit 67c90a32b7ad0c5a38c483ce849cc7a231e7ba54)
2021-06-01interface: fix vnet_sw_interface_update_unnumberedDave Barach1-6/+13
Unless a software interface is actually unnumbered, do not set ip[46]_main.lookup_main.if_address_pool_index_by_sw_if_index [sw_if_index] to ~0 Fixes this scenario: loop create set int state loop0 up create sub-interface loop0 1 set interface ip addr loop0.1 192.168.1.1/24 delete sub-interface loop0.1 set int ip addr loop0 192.168.1.1/24 Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I46141d862fa57d70b93d7bb0c105403708165264 (cherry picked from commit 64d20e76b9108c9158b2b538cd2312d740f48103)
2021-05-26fib: During the mfib lookup set the unicast FIB index in the packet so that ↵Neale Ranns1-26/+28
a uRPF check on a for-us packet is done in the correct VRF Type: fix Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Iafa6efea0d96962aa9136dccefc148a961f74476
2021-05-25srtp: basic implementation based on libsrtp2Florin Coras2-2/+3
Type: feature Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic5e99938a5f130e83de6d590d2f89252d055bceb
2021-05-25interface: show if tx queue is sharedDamjan Marion1-4/+6
Type: improvement Change-Id: Idb48f835730db6c652c4b0e6ef310c7f36599a72 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-21session: improve main thread connects rpcFlorin Coras2-18/+26
Avoid grabbing the worker barrier if there's no work to be done. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ice3de5df41cd1752aba3419ad2e2dd82f30e9bfb
2021-05-21bfd: use vnet cryptoKlement Sekera3-104/+43
Type: improvement Change-Id: I873a99c1258a97ed5ed195b9756e8302f865e7f0 Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2021-05-21ipsec: Default the IPSec interface MTU to 9000Neale Ranns1-0/+1
Type: fix The same value is used for other tunnel types. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I6593001918993d65f127cc9f716c95e932239842
2021-05-20gre: Walk IPv6 adjacencies during restackMatthew Smith1-2/+4
Type: fix If a GRE tunnel is created and the peer is not resolved yet and an IPv6 route is added which points to the tunnel, packets matching the route will be dropped. When the tunnel peer is resolved, adjacencies on the tunnel interface should be restacked and packets matching the route can be encapsulated and sent.. There is a loop that is intended to do this for both IPv4 and IPv6. The call to walk adjacencies is invoked in a "return" statement though. So the loop is exited and the function returns before IPv6 adjacencies are walked. Remove the return so the loop finishes. Change-Id: Ia4f695681713020209ea490ae4142857cea49c41 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-05-20tls svm: prealloc tcp fifo chunks before ssl writeFlorin Coras1-1/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
2021-05-20session: fix transport half-open cleanup callFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I47d241a8f2f9e9d0761d14dcddd3327c3b28932c
2021-05-19session: cleanup event llist usageFlorin Coras3-41/+27
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I750c856ac81d951e8c0e62c710e0f35a0c80d6f9
2021-05-19session: fix session queue node access on disableFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie4e3623e7e00456437fac5fb8f9c9083f1aa2a2e
2021-05-19interface: shared tx queue supportDamjan Marion2-4/+7
Type: improvement Change-Id: I6bb7b6d6bd63b044952ab981be5b0673144c9834 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-18tls: fix dtls with no workersFlorin Coras4-10/+22
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Iecc33fda7f28c037289775ffe0525a50f89a2b8c
2021-05-18session: poll main thread if pending connectsFlorin Coras3-48/+76
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie8a15c50531f3ccd5f91dbc0779e4d9c0d146844
2021-05-18session: only handle old ctrl events per dispatchFlorin Coras1-6/+12
Avoids dispatching ctrl events generated while handling the current pending list. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibeaf901ba4cf58a68fbd88e5ec3c23f6c2f6f145
2021-05-18session: move tx-buffers to tx ctxFlorin Coras2-16/+14
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I10ec410fb7f3acb47128dda23510162dc13b20d0
2021-05-17virtio: add the checks for descriptors chain lenMohsin Kazmi1-0/+23
Type: fix virtio uses indirect descriptors for chain buffers. indirect descriptor chain is mapped on a vlib_buffer_t. Single descriptor is 16 bytes and vlib_buffer_t has 2048 bytes space. So maximum long chain can have 128 (=2048/16) indirect descriptors. This patch adds check to make sure descriptors chain len should not exceed 128. Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I060cfb7709568f42c9b5634527172690ce66a1a3
2021-05-16session: rpc for connects to mainFlorin Coras3-5/+88
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ifa47e1500e5cfb3c717f87b1d21131b9531c9005
2021-05-15session: fix coverity warningFlorin Coras1-1/+1
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I24484a5192d7e683507ed640f75fb37914c0efb0
2021-05-14tcp: remove ho lockFlorin Coras3-13/+0
Half-open sessions are allocated by main thread and cleaned up on main with timers. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I37f000920a45908b62b5501ae9d54a88a9e4c609
2021-05-14vlib: pass node runtime to vlib_buffer_enqueue_to_thread()Damjan Marion7-16/+12
Mechanical change for patch following this one... Type: improvement Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-14interface: fix converity in update_runtime_dataMohammed Hawari1-1/+1
Change-Id: I59eb41516b5e052109428ae70660ed49126c25bb Type: fix Signed-off-by: Mohammed Hawari <mohammed@hawari.fr>
2021-05-14interface: update tx queue runtime if vector size changesDamjan Marion1-1/+5
Fixes issue which causes crash in case when VPP only runs with main thread. Type: fix Change-Id: Ia0ca973bb7e7ff81f15b37764ae248e2502bdcec Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-14session: switch ct to vc and track half-opensFlorin Coras5-77/+220
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7f9c4b9b6e523ab549087ad21724f34f08fca793
2021-05-14tls: switch dtls to vc and track half-opensFlorin Coras4-14/+132
Also adds support for half-open support transport migration. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id04c194138956336f93246bbed0332a7030c67e2
2021-05-13interface: fix tx queue runtime updateDamjan Marion1-0/+2
Type: fix Change-Id: I5ce7e57ae277de26af602fe786048bf21b8612f8 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-13tests: move test source to vpp/testDave Wallace22-10139/+0
- Generate copyright year and version instead of using hard-coded data Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
2021-05-12flow: fix vxlan vni convert bugChenmin Sun1-2/+2
This patch fixes a vxlan vni field conversion bug in flow api layer Type: fix Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: I37b2ffb54792f48b390ff42da577db2c4869d253
2021-05-12tls: switch to vc service and track half-open sessionsFlorin Coras7-19/+78
Half-open tls sessions are now tracked by the app worker and are cleaned up only when tcp cleans up its half-open session, i.e., independent of when the established tls context is allocated. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5d594d7095192dd527daf4ea1358ffeccdfcc7a
2021-05-12session: return connect session handle to appFlorin Coras6-32/+36
App transports not supported for now. Will have to be updated individually. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I75cb6c4e1c5af008af72858a9ee573016812abd4
2021-05-12session: support half-close connectionliuyacan9-5/+139
Some app(e.g. Envoy) may call shutdown() instead of close() when draining connection. Type: improvement Signed-off-by: liuyacan <liuyacan@corp.netease.com> Change-Id: I9543b9ca3caa87b10b134fd1fc4019124e41e4d2
2021-05-11ip: ensure ttl doesn't decrease to 0 when puntingAloys Augustin1-0/+2
Change-Id: I248ef12fd34ea2a1c383fbcc530a8ffeb31ba92b Type: fix Signed-off-by: Aloys Augustin <aloaugus@cisco.com>
2021-05-11interface: tx queue infraDamjan Marion10-50/+485
Type: improvement Change-Id: I415b2f980de10ca3154d2c8677c24792453eccd0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-10misc: fix crash in lawful intercept CLIhemant_mnkcg1-6/+6
Type: fix Signed-off-by: hemant_mnkcg <hemant@mnkcg.com> Change-Id: I097815617053dac09de7ad3092b3d3071770114f
2021-05-10session: use half-open sessions for vc establishmentFlorin Coras9-119/+126
Use half-open sessions to track virtual circuit connection establishment. These sesssions can only be allocated and freed by the thread that allocates half-open connections (main). Consequently, they can only be freed on half-open cleanup notifications from transports. Goal is to simplify state tracking within the session layer but it's also a first step towards allowing builtin apps to track and cleanup outstanding connects. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I8a535906d13eb7f8966deb82333839de80f8049f
2021-05-10gso: fix the gro coalesced chain lenMohsin Kazmi1-1/+2
Type: fix Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com> Change-Id: I86b940384a6898d4cb04f3decf30996c94b43d07
2021-05-08vhost: low performance in interrupt mode in some casesSteven Luong1-35/+19
When vhost and another interface, say tap, are configured for interrupt mode, performance number may be very low from vhost. Further analysis discovers that when vhost posts an interrupt to the RX infra, there is a 10 msec delay in waking up its input routine. The delay is due to vhost posts the interrupt from the main thread which tries to wake up the worker thread. The fix is for vhost to move the posting interrupt call to the corresponding input worker thread by calling vnet_hw_if_set_rx_queue_file_index() to set it up. While at it, streamline the function vhost_user_kickfd_read_ready() since it will be called from the worker thread. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I9beedcd33e1558c8335da4ee7fadc51c29ee4589